Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Specifying a Custom Crypto Algorithm

Specifying a Custom Crypto Algorithm

WCF allows you to specify a custom crypto algorithm to use when encrypting data or computing digital signatures. This is done by the following steps:

  1. Derive a class from SecurityAlgorithmSuite

  2. Register the algorithm

  3. Configure the binding with the SecurityAlgorithmSuite-derived class.

Derive a class from SecurityAlgorithmSuite

The SecurityAlgorithmSuite is an abstract base class that allows you to specify the algorithm to use when performing various security related operations. For example, computing a hash for a digital signature or encrypting a message. The following code shows how to derive a class from SecurityAlgorithm:

public class MyCustomAlgorithmSuite : SecurityAlgorithmSuite
    {
        public override string DefaultAsymmetricKeyWrapAlgorithm
        {
            get { return SecurityAlgorithms.RsaOaepKeyWrap; }
        }

        public override string DefaultAsymmetricSignatureAlgorithm
        {
            get { return SecurityAlgorithms.RsaSha1Signature; }
        }

        public override string DefaultCanonicalizationAlgorithm
        {
            get { return SecurityAlgorithms.ExclusiveC14n; ; }
        }

        public override string DefaultDigestAlgorithm
        {
            get { return SecurityAlgorithms.MyCustomHashAlgorithm; }
        }

        public override string DefaultEncryptionAlgorithm
        {
            get { return SecurityAlgorithms.Aes128Encryption; }
        }

        public override int DefaultEncryptionKeyDerivationLength
        {
            get { return 128; }
        }

        public override int DefaultSignatureKeyDerivationLength
        {
            get { return 128; }
        }

        public override int DefaultSymmetricKeyLength
        {
            get { return 128; }
        }

        public override string DefaultSymmetricKeyWrapAlgorithm
        {
            get { return SecurityAlgorithms.Aes128Encryption; }
        }

        public override string DefaultSymmetricSignatureAlgorithm
        {
            get { return SecurityAlgorithms.HmacSha1Signature; }
        }

        public override bool IsAsymmetricKeyLengthSupported(int length)
        {
            return length >= 1024 && length <= 4096;
        }

        public override bool IsSymmetricKeyLengthSupported(int length)
        {
            return length >= 128 && length <= 256;
        }
    }


Register the Custom Algorithm

Registration can be done in a configuration file or in imperative code. Registering a custom algorithm is done by creating a mapping between a class that implements a crypto service provider and an alias. The alias is then mapped to a URI which is used when specifying the algorithm in the WCF service’s binding. The following configuration snippet illustrates how to register a custom algorithm in config:

<configuration>
   <mscorlib>
      <cryptographySettings>
         <cryptoNameMapping>
           <cryptoClasses>
              <cryptoClass SHA256CSP="System.Security.Cryptography.SHA256CryptoServiceProvider, System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
           </cryptoClasses>
           <nameEntry name="http://constoso.com/CustomAlgorithms/CustomHashAlgorithm"
              class="SHA256CSP" />
           </cryptoNameMapping>
        </cryptographySettings>
    </mscorlib>
</configuration>

The section under the <cryptoClasses> element creates the mapping between the SHA256CryptoServiceProvider and the alias “SHA256CSP”. The <nameEntry> element creates the mapping between the “SHA256CSP” alias and the specified URL (http://constoso.com/CustomAlgorithms/CustomHashAlgorithm ).

To register the custom algorithm in code use the AddAlgorithm method. This method creates both mappings. The following example shows how to call this method:

// Register the custom URI string defined for the hashAlgorithm in MyCustomAlgorithmSuite class to create the 
// SHA256CryptoServiceProvider hash algorithm object.
CryptoConfig.AddAlgorithm(typeof(SHA256CryptoServiceProvider), "http://constoso.com/CustomAlgorithms/CustomHashAlgorithm");

Configure the Binding

You configure the binding by specifying the custom SecurityAlgorithmSuite-derived class in the binding settings as shown in the following code snippet:

WSHttpBinding binding = new WSHttpBinding();
            binding.Security.Message.AlgorithmSuite = new MyCustomAlgorithmSuite();


For a complete code example, see the Cryptographic Agility in WCF Security sample.

See Also

Community Additions

ADD
Show:
© 2015 Microsoft